Risk Management Reports

December, 2000

Volume 27, No. 12

An Iconoclastic View
of Risk

This article is a revised
version of a speech that I gave to the UK Association of Risk Managers
at its Convention 2000 in Gleneagles, Scotland, on November 2, 2000. It
incorporates many themes familiar to readers of Risk Management Reports.

Challenging the accepted
or conventional wisdom is always undertaken with considerable trepidation.
Past challengers, like Galileo, Quixote and numerous heretics, met derision
or, worse, a flaming stake. Recently weve turned to brainwashing
and propaganda to enforce conformity. But the worst fate is probably being
disregarded.

I want to attack four serious
misconceptions about risk and risk management. Hence the title, "An
Iconoclastic View of Risk." Today we know icons more as computer
symbols than as the traditional representations of religious persons or
images. An iconoclast is one who wants to destroy those symbols. According
to the great Arnold Toynbee, in his A Study of History, "the essence
of iconoclasm is an objection to a visual representation of the Godhead
or of any other creature, lower than God, whose image might become an
object of idolatrous worship." This idea is enshrined in the Second
Commandment, which denounces the worship of "graven images,"
and it is also found in Islam.

I want to extend my personal
iconoclastic fury to four "icons" that have grown insidiously
and perniciously within our discipline of risk management, icons which,
if not broken, may undermine what we are trying to accomplish. They are
dangerously subversive.

The four icons that I challenge
are the ideas, first, that "risk" is bad; second, that the primary
goal of risk management is to benefit shareholders; third, that risk management
is the responsibility of specialists; and, fourth, that risk can be transferred.

Icon # 1: Risk is Bad
Why are we so afraid of risk and uncertainty? Consider that the greatest
discoveries of the past five centuries have been stimulated by the willingness
of explorers, inventors, politicians and scientists to take chances of
great loss in return for even greater potential gain. That, to my mind,
is the essence of the human spirit, this quest for the new and the unknown.
Yes, we are faced by uncertainty whenever we make a decision. The decision
itself creates uncertainty as to outcomes. But some of that uncertainty
can be measured, thus becoming "risk," and through this measurement
we position ourselves to make better decisions, pushing human boundaries
outward.

The current problem is the
prevailing definition of "risk" offered by some of the risk
management sub-disciplines, a definition that is creeping into the vernacular.
Safety, public policy and insurance professionals continue to see "risk"
primarily as a negative, something to be avoided, reduced or shifted,
despite the contrary and broader view of our financial and market brethren.
First, this difference confuses those who study the discipline. Second,
the more restricted view corrupts responses to risk situations. It forms
an artificial blinder that constricts perspective. Our ever-increasing
ability to measure risk, so thoroughly described in Peter Bernsteins
Against the Gods, comes to naught if all we try to do is avoid it.

That risk and uncertainty
are important stimulants for life has been trumpeted by wiser observers
than me. ". . . Uncertainty, far from being a symptom of imperfection,
is in fact a natural property of economics, indeed, probably of all life
systems. . . . Uncertainty is the name of the game in the service economy."
Thats from Orio Giarini, of the Geneva Association. Richard Feynman,
the Nobel Laureate physicist adds: ". . . it is in the admission
of ignorance and the admission of uncertainty that there is hope for the
continuous motion of human beings in some direction that doesnt
get confined, permanently blocked, as it has so many times before in various
periods in the history of man." And John Adams, in his 1995 book
Risk, sees risk as a cultural construct that "illuminates a world
of plural rationalities." Risk, to him, is a "balancing act"
in which the actors "balance the expected rewards of their actions
against the perceived costs of failure" in a world in which both
it and our perceptions of it are constantly being transformed by our effect
on the world and its effect on us.

It therefore matters how
we define risk for our discipline. The November 1, 2000, Draft of the
ISO/TMB Risk Management Terminology Paper, currently under review and
discussion, is a step in the right direction. Its authors define risk
as "the combination of the probability of an event and its consequence,"
noting that "consequence may be either positive or negative."
ISO adds a footnote suggesting that, "in some situations, risk is
a deviation from the expected." Thats my preferred definition,
one Ive been using since 1990. It is brief and it incorporates both
the positive and negative, the yin and yang, the complimentary opposites,
of risk.

Risk always involves a potential
reward, whether real or imagined, tangible or intangible. Thats
why we make decisions involving risk, our personal measure of the uncertainty.
To deny the reward element is to distort any subsequent decision. This,
to my mind, is why we must break the icon that "risk is bad."

I have three final thoughts
on this subject. First, we should acknowledge that not everyone relishes
risk and uncertainty as we hope they should. Anthony Storr wrote in 1996,
"Doubt and uncertainty are distressing conditions from which men
and women passionately desire release . . . . As a species, we are intolerant
of chaos and have a strong predilection for finding and inventing order
. . . . Certainty is hugely seductive." It is the seduction of imagined
or promised certaintythe insurance policy that purports to cover
everything; the religion that purports to give all the answersthat
becomes so corrosive. Yet it is a human response, one that a risk manager
must consider.

Second, risk management,
our operational framework, thus becomes "a discipline for dealing
with uncertainty," an acknowledgment that both risk and uncertainty
are creative stimulants in our lives, and are all pervasive. Uncertainty
is "the openness of possibility," according to Feynman. Jacob
Bronowski phrased it perfectly: " . . . the realitythat, however
delicately we work, the random still clings about the systematic, the
fluctuations still blur the trend."

And third, I sum up this
first icon-smashing effort with a rephrasing of René Descartes
cogito ergo sum - "I think, therefore I am." I suggest it should
be periclitor ergo sum - " I risk, therefore I am." Taking risk
is the defining element in human existence. We should relish, not avoid
it; balance, not eliminate it.

Icon # 2: The Goal is
to Benefit Shareholders One of the most pernicious current beliefs
of risk management is that its sole purpose is to serve shareholders,
to increase share prices. A review of the literature of the last two decades
reveals an overwhelming acceptance of this "icon." As one example,
the cover of the September/October 2000 issue of InfoRM, the magazine
of the Institute of Risk Management, trumpets the idol of "shareholder
value." Much of this thinking was spawned by the University of Chicago
approach to economics and the undeniable recognition that many corporations
became bloated with excessive infrastructure, cheating stockholders of
deserved wealth. Yet in the rush to worship the Mammon of share value,
we have become short-sighted, Weve lost touch with the longer-term
principles that support survival. If the focus is narrow "shareholder
value," how do we then apply risk management to nonprofits, mutual
companies, or governmental organizations?

Fortunately, the pendulum
is swinging back to common sense. Two recent books support my contention.
Allan Kennedys The End of Shareholder Value attacks the premise
that shareholders are pre-eminent in the pantheon of corporate interests.
He suggests that this misplaced emphasis has resulted in unnecessarily
large staff cut-backs, a reduction in research and development expenditures,
and a misapplication of stock option incentives to senior management,
all of which contributed to the current irrational market boom. The result:
an inevitable reaction from other disenfranchised stakeholders. Employees
are no longer loyal to the firm. Suppliers, pressured by demands to reduce
costs, reduce services. Customers, seeking only the lowest price, ignore
respect for and loyalty to brands. Communities, faced with facilities
easily uprooted without notice, respond with restrictive governmental
regulations. Kennedy argues that "reconnecting" with these stakeholder
groups will be the major mandate for the current decade, as we try and
rebuild trust and confidence. Isnt this the primary role for risk
management?

The second book is the natural
follow-up to Kennedy, John Plenders A Stake in the Future: The Stakeholding
Society . Plender asserts the ethical and economic benefits of running
a company for the benefit of stakeholders rather than just shareholders.
I readily admit that this idea still arouses considerable skepticism,
even among economic liberals, but I suggest that it is the coming force.

Risk managements most
important role is becoming the mechanism that corrects erratic steering,
bringing the vessel back on a principled course. The proper course is
to serve all stakeholders, from employees and customers, to suppliers,
investors, lenders, regulators, and the community at large. An over-focus
on any one set of stakeholders inevitably cheats others. The risk management
function has a positive obligation to assess and respond to risks and
to develop and maintain a continuing two-way dialogue with every stakeholder
group. Our role is not to "reduce the cost of risk," the mantra
that has consumed the discipline for almost twenty years, but to enable
an organization to build a higher level of confidence and trust within
each stakeholder group. That confidence is the most important asset of
any organization. Much of this is recognized by the growing worldwide
movement to re-configure organizational governance. It began with the
adoption of a new set of risk management standards in Australia and New
Zealand and has been followed by the work of the Dey

Committee in Canada, the
Treadway Commission in the US, KonTraG in Germany and the Dey, Hempel
and Turnbull Committees in the United Kingdom. The traditional system
of representative governance through a board of directors, governors or
trustees does not work. We see the same breakdown in government itself.
We no longer trust elected representatives to solve problems, witness
the declining participation in national voting, where often less that
50% of the registered electorate actually votes. More and more change
occurs because of the money and efforts of special interests lobbying
for their perks and because of the outright protests of other groups.
The recent debacle in the UK and Europe over petrol/gasoline prices illustrates
this point.

At the corporate level, boards
fail to represent broader constituencies than just senior managers and
larger shareholders. That is a reason why these commissions have mandated
a serious re-structuring of board responsibilities, one of which is the
assurance that major risks are understood, assessed and managed. We must
move beyond the narrow construction of a directors obligations.
I was pleased to see that a financial magazine, CFO, published by The
Economist Group, this year offered a special award for "managing
external stakeholders."

If we accept the principle
that risk management, like general management, must serve all stakeholders,
not just shareholders, it follows that the biggest single responsibility
of the risk management function is intelligent communication with these
groups. It is also the weakest area of our discipline today. Risk communication
should build and maintain the trust of these groups and their confidence
in the future of the organization. When this trust is high, the organizations
ability to overcome misfortune is enormous; when it is low, no infusion
of cash, however large, can save it.

The founders of the Global
Association of Risk Professionals (GARP), Lev Borodovsky and Marc Loré,
wrote in Risk Professional last year, "no matter what types of methods
are used, the key to risk management is delivering risk information, in
a timely and succinct fashion, while ensuring that key decision makers
have the time, the tools, and the incentive to act upon it." These
"decision makers" include outsiders as well as insiders.

Karen Thiessen, of the Conference
Board of Canada, sums it up: "Communicating risks is the process
of sharing information about an actual or perceived risk in an open and
frank manner. It is essential to building trust with your audience, be
it the community, public, employees, shareholders or other stakeholders."

Communication is not easy.
Often we deal with stakeholders who lack the requisite knowledge and understanding
of issues. Some are fixed on their agendas and dont want to listen
or compromise. The experience of Shell with environmentalists on the Brent
Spar decision arguably led to a conclusion that was worse for the environment
than its original proposal of sinking it at sea. We also deal with arrogant
and frightened managers, witness the recent problems at Mitsubishi, Ford
and Firestone. It will not be easy breaking the instincts to cover up
and hide misfortune, or to try and manipulate share price. These are exactly
the instincts that proper risk management should work to overcome.

Icon # 3: Risk Management
is the Responsibility of Specialists Over the years, numerous silos
of risk management specialization have been erected on the premise that
each specialty is so arcane, so based on long experience, that outsiders
cannot appreciate, much less practice, the trade. We see this in credit,
safety and health, financial derivatives, security, insurance, contingency
planning, auditing, contracts and regulatory management. Each group has
its own language, its own procedures, its own skill sets. Each wants to
be left alone to do the job. Yet this has led to enormous gaps and overlapping
and excessive costs in organizational risk responses. The recent move
to strategic, integrated, enterprise, or holistic risk management is a
recognition that the separation of risk functions is actually counter-productive.

Allowing the specialists
to ply their trades separately does not work. That is one reason for the
rise of a new executive, the Chief Risk Officer. This person is a generalist
who reports to both the Chief Executive and the Board and coordinates
the work of other risk specialists. According to a recent global Internet
symposium conducted by eRisks in New York, there are almost 200 "CROs"
in place, generally in financial institutions, energy and utility companies.
They are beginning to adopt common risk languages and frameworks for their
organizations. They chair multidisciplinary risk oversight committees
and lead new efforts in stakeholder risk communication. Their annual reports
now include extensive remarks on both risks and responses. One of the
best that I have seen is the 1999 report from the Bank of Montreal. Taking
seven of the Reports 72 pages, the risk section emphasized the Banks
commitment to all stakeholders and described its efforts in credit, liquidity,
market and operational risks. At the Bank of Montreal, its CRO is the
Executive Vice President who reports to the CEO and chairs the Risk Management
Group.

Implicit in the CRO movement
is the assumption that risk management is no longer the sole province
of specialists. It is now the responsibility of each and every person
in the organization. The new goal is to build a culture of risk understanding
so that better decisions may be made at every level, every day.

Where will we find these
new CROs? To answer this I looked at the various global organizations
that represent the risk management discipline. Public policy risk managers
belonging to the Society for Risk Analysis and its sub-groups in Europe
and Japan number about 4,000. In the insurance arena, the combined worldwide
members of RIMS, AIRMIC and their fellow associations in IFRIMA, probably
total less than 10,000. GARP, growing rapidly, now has over 13,000 members
in 80 countries. Compare these numbers, however, to the 72,000 global
members of the Institute of Internal Auditors, and you begin to see how
a dramatic predominance of numbers may lead to internal auditors becoming
CROs and commanding the risk management discipline. The IIA is shifting
its emphasis from a more narrow focus on control to broader and comprehensive
risk-based planning in much of its literature, research and training.
Given the existing direct contact of internal auditors with boards, we
may have an irresistible force.

Icon #4: Risk can be Transferred
Almost thirty years ago, at a luncheon meeting of the board of directors
of a major insurance broking firm, I suggested the idea that "insurance
is a pre-funded line of credit." This heresy met uniform derision,
as they explained that insurance is a risk transfer mechanism. I persisted
in my belief, however, coining Klomans First Law of Risk Management
in the mid-1980s: "There is no such thing as risk transfer; there
is only risk sharing." I believe that risk is created by decisions
of individuals or organizations. The potential rewards and penalties accrue
to those decision makers. Risk remains their responsibility. Some risk,
however, may be shared. An entrepreneur shares both reward and loss with
investors who buy stock. Some risk may be diversified. A trader sells
a derivative. An insurance buyer shares risk with an insurance company,
a pooling of funds given to a fiduciary in return for dispensing them
under certain circumstances. Yet most of the risk remains with the original
decision maker, and the sharing actually creates a new risk, that the
counterparty may be unable to meet its obligations.

One of the worst fallacies
foisted on the public by the insurance industry is that insurance actually
solves a risk problem. It does not. It simply provides the possibility
of some sharing, some spreading of the risk.

I recently uncovered a classic
case of misplaced reliance on insurance. The CFO of a US firm was asked
about his organizations dependency on its website and electronic
media. The CFO responded: "If the security or privacy of our Website
or network were compromised, it would blemish our brand and cause irreparable
harm. So our feeling was, lets not spend time thinking about this;
lets protect our capital investors and buy an insurance policy."
This attitude not only subscribes to the fallacy that risk can be transferred,
it also blindly follows as well Icon Number 2, substituting shareholders
for stakeholders. This ostrich-like approach is a patent denial of managerial
responsibility.

My point is that we must
accept full responsibility for the risk decisions that we make. We can
find partners with whom to share some portion of the risk but the final
outcome is ours.

The Icons Revisited
My objective has been to challenge four serious misunderstandings of risk
and risk management. Ive tried to shatter some cherished but mistaken
beliefs, as a good iconoclast should. If we do not break the delusionary
icons that lead us in the wrong direction, toward false gods, we may remain
buried in risk illiteracy. If we continue to accept the former "gospel,"
we may find ourselves mired in a dangerous form of risk management fundamentalism.
Risk involves the potential for both reward and harm. The goal is to benefit
all stakeholders. Risk analyses and responses must be coordinated, and
risk is never transferred, only shared. Risk management then becomes,
in the words of Sheila Jasanoff of Harvard University a "framework
for learning in the face of uncertainty."

There is, of course, the
possibility that my interpretation is also flawed. Thats your challenge:
to think seriously about what I have suggested, not just accept it as
you may have accepted the previous icons.

I conclude with an appropriate
haiku from the Japanese poet Issa. He wrote this after seeing an itinerant
monk preaching on the side of the road: